Painfully Outdated

The Privacy Protection Authority published draft guidelines on the use of drones in public spaces. Sometimes I wonder about the topics the Authority chooses to review in its guidelines, because from my experience they are not the most pressing issues. But I do know the authority is always well-intentioned and its fine people work their best to make do with the primitive materials of Israeli law available to them, in order to deliver the most advanced outcome possible.

But recently, I can't help have the disturbing feeling that the authority suffers from a reverse "Yehuda Halevi syndrome" – "its heart is in the west yet it is at the uttermost east". "How can I find savour in food? How will it be sweet to me?" asks Halevi, and this is the predicament of the authority as well. The Israeli Privacy Protection Law from 1981 is not to its liking at all. And I can see why. It is an old and worn out law which collapses under the burden of time. This is why the authority looks up to the advanced European standards for protection of personal data. These are embodied in the GDPR - General Data Protection Regulation.

A statement recently published by the authority asserts that e-mail addresses constitute "personal data" (as opposed to "means of communication", which a person is not obligated to formally register as a database). Indeed, any information that can be attributed to a person is "personal data" according to the European law – but this is not the case in terms of the Israeli law. Now we have the draft guidelines on the dangers to privacy presented by drones, and it is another example of the tendency towards the continental law; this is evident because the guidelines speak of the need to conduct data protection impact assessment, privacy by design as well as privacy by default. These are all keywords in modern laws on privacy. They are anchored in the European GDPR.

But the Israeli law is painfully old. It does not recognize these concepts at all. The Law was groundbreaking at its birth, but time did not do it justice: there were very few computer systems in use at the time. There were no personal computers, let alone mobile phones whose processing power is far greater than that of the computers onboard the spaceships that the USA sent to the moon in the 1960's. The internet, location-based services, heat-based sensors, biometric identification, big data analysis, machine learning and artificial intelligence, blockchain, the internet of things – all of these things were nothing but imaginary concepts, if they existed at all. Not only citizens suffer from this deficiency, but also the Israeli economy and hi-tech industry. Everyone is wondering what is permissible and what is not, having only a law from the stone-age of modern technology at their disposal. 

What can the Privacy Protection Authority, which is forced to operate in a rapidly changing technological environment, do with such an antiquated law? Well, it can work to change the law. It seems this is the first thing it must do. Even if the authority itself is not responsible for drafting the law, it is the professional body that should set in motion the necessary process at the advisory and legislation department of the Ministry of Justice.

But the Ministry of Justice is doing nothing.

In fact, it cannot even promote the changes already proposed to the Privacy Protection Law, which are intended to add an ugly and painful hump of draconian enforcement powers on top of the antiquated law.

While the Ministry of Justice sleeps on the job, Europe is examining whether Israel fits its standards of personal data protection. A short explanation: European law prohibits passing information on to a country that does not protect personal data in a manner acceptable to Europe. This prohibition is known as the principle of Adequacy. It was already introduced in the Directive which preceded the GDPR.  In 2011, the Privacy Protection Authority managed to convince the European Commission that Israel is adequate. We are one of only 13 countries in the world recognized as such. But our status is being reexamined; the decision will probably be made in 2020. And because we are not only slumbering with an ancient law, but since 2011 we also have enacted draconian legislations detrimental to privacy (for example, the biometric database law, the credit data law and now there is a memorandum on the cyber security law which is being considered). Thus, the odds of Europe once again acknowledging our adequacy are decreasing.

No authority wants to see Israel's status diminished on its watch. What can the Privacy Protection Authority do if it cannot work in-house within the Ministry of Justice to change the law?

It publishes guidelines. It has complete control of the text of the guidelines it drafts. The guidelines demonstrate how the Authority will interpret the 1981 law. But when you enforce the old law with new rules, you must have foundation in the statutory text. And this is nowhere to be found within the letter of the law. The result is a double and triple problem: it is first and foremost a constitutional problem – the state’s administrative authorities do not legislate, it is the role of the Knesset, the Israeli legislature; second, it diminishes the chances that the law will be amended – if it is substituted by guidelines, why should we bother with the tedious process of legislation? And finally, it is a problem because it breeds uncertainty: should I follow the guidelines which have no basis in the legal text or can I ignore them?

As sad and provocative as this may sound, the best thing that could happen to privacy in Israel is for Europe to decide to deny our adequacy status. When the collaboration of Israeli innovation authorities and research institutes with European programs and their generous funding is thrown into chaos, when the various sectors of the Israeli economy have to come up with tedious arrangements in order for information to move freely from Israel's important export market into the state, maybe then the Ministry of Justice will wake up and adopt a modern law for the protection of privacy.

First published in Mind the Gap, the author's privacy blog in Haartez

[Translation by Smart Human Translations]